Just a few years ago, digital fraud was an incident – a one-off problem that IT security departments solved. Today, they have become part of the financial sector’s operating costs. The 60-70 per cent annual increase in attacks no longer surprises anyone. Instead of asking “will we be attacked?”, banks are asking: “will we be able to stop a customer from making the wrong decision?”.
According to industry reports, the scale of the phenomenon has grown to unprecedented proportions. Voice phishing (vishing) has doubled, SMS attacks have shot up tenfold. Scams based not on technology but on psychology – romance and investment – are growing the most. This is no longer a simple theft of login details, but a full-scale manipulation in which the victim himself, voluntarily, hands over money.
From hackers to criminal corporations
In the public mind, a fraudster is still associated with a lone wolf in a hoodie. Meanwhile, modern digital fraud resembles the outsourcing business model. There are centres – entire cities – in Asia and Africa where specialised ‘scam factories’ are set up. Employees have targets, call scripts, CRM systems. They create fake bank helplines, investment funds and even ‘security specialists’.
Such a model works like an industry. In one place, phishing tools are developed, in another, AI synthetic voices are generated, in yet another, months-long relationships with victims are conducted. The main goal is not to take over the account – but to get the user to authorise the transfer themselves. The bank has all the safeguards in place, but it is the customer who becomes the attack vector.
Why classical safeguards have failed
Digital banking has built its protection mechanisms around authentication – passwords, SMS codes, two-factor logins. The problem is that the system verifies the device and the correctness of the data, not the user’s intention. If the customer himself, knowingly, initiates a transaction – the system considers it legitimate.
Meanwhile, scams have evolved. A scammer can carry on a conversation with a victim for hours, instructing them step by step, impersonating a bank consultant, even simulating a ‘service intervention’. No 2FA code will stop a user believing he is saving his own money. The bank sees the movement, but does not know the context.
Banks’ new weapon: behaviour instead of password
Therefore, the financial sector is shifting its centre of gravity from hard security to soft analytics – behavioural observation. The era of behavioural biometrics is beginning. It is not about facial or fingerprint recognition, but about micro-behaviours: the rhythm of typing, the speed of scrolling, the way one moves through an application.
If the user suddenly starts to enter the account number with extreme precision, if they change their habit of using the app or hesitate to authorise – the system suspects that they may be under the influence of a fraudster. The idea is not to block, but to intervene: an additional question, a chat conversation, a warning.
Some banks report up to a 15 per cent drop in identity theft fraud after implementing such tools. Signals that no one analysed before – now become the foundation of protection.
Scam-as-a-Service versus the bank’s AI
In the background, the technological architecture is also changing. Fraudsters are using AI to generate fake voices and convincing stories. Banks are countering AI with predictive systems. As a result, a new arms race is forming: machine learning versus machine learning.
There comes a point when a bank will have to make controversial decisions. What if the system deems a transaction suspicious but the customer insists? Can the bank stop the transfer “for the safety” of the user, who is convinced that he knows what he is doing?
This is no longer just a question of technology – it is about the relationship with the customer and the responsibility of the financial institution.
The economics of fraud – billions in costs and uncomfortable questions
According to estimates by industry organisations, the value of consumer losses exceeds USD 1 trillion per year. This is more than the annual budget of many countries. For banks, fraud is no longer an exceptional cost – it is an operational line in P&L.
The question is increasingly being asked: who is liable? In Australia and the UK, regulators are forcing banks to return funds to customers who have been defrauded. As a result, financial institutions have to decide whether to invest in prevention or prepare funds for compensation. In both cases, costs are rising.
From financial institution to digital guardian
The bank is undergoing a role transformation. Not so long ago, it was a depository of money. Today, it is to be the guardian of the customer’s digital intentions. It no longer protects only assets, but also the consciousness of the user, who interacts with an invisible adversary.
This gives rise to a new promise: “we protect you even from yourself”. A bank that notices that a customer is trying to transfer money to a fraudster must have the courage to stop the procedure – even if the regulator looks crooked.
What next?
The era of mass fraud is not a temporary crisis. It is a permanent feature of the digital economy. Just as e-commerce has accepted the costs of returns and complaints, banking is beginning to see fraud as a built-in business variable.
One thing seems certain: the line between banking and cyber security is disappearing. In a world where fraud is scaled like a start-up, the financial system must become not only fast and digital, but – above all – predictive. A bank that can stay ahead of a criminal’s intentions will win not only in the scoreboard, but also in customer trust.
